Migration of Certificate User Mapping in the Secure Login ServerLogin Server

8. Choose the field Action on Client Settings. This parameter refers to the profile group configuration in the Secure Login Client.

9. Select Keep to preserve the profile group configuration of SAP NetWeaver Single Sign-On 1.0 in Secure Login Client.

10. Save your changes.

Related Information

Parameters for Downloading Policies Using Profile Groups [page 288]

When you create a profile group from the client authentication profiles, you can specify some properties, such as protocol, host name, policy update interval, timeout, and actions after policy download.

5.4.7 Migration of Certificate User Mapping in the Secure Login Server

This topic describes how you migrate certificate user mapping to SAP Single Sign-On 2.0.

Prerequisites

Certificate user mapping is available in SAP NetWeaver Single Sign-On 1.0 and is supposed to be migrated to SAP Single Sign-On 2.0.

User mapping is only possible with LDAP or Active Directory server.

Context

The aim of the Secure Login Server user mapping is to adapt logon between Windows operation systems and an SAP environment. This is implemented by the fact that the Secure Logon Server issues a certificate with user information that is used by other applications. It conveys only user information, not necessarily a user name.

This means that you do not need a user-to-user mapping, but the information in the certificate makes sure that the authentication request of a certain user are accepted.

The application recognizes the information and uses it to map to a certain user.

User mapping is possible in the following applications:

● LDAP

We recommend that you run SAP Single Sign-On 2.0 in parallel with a Secure Login Administration Console of SAP NetWeaver Single Sign-On 1.0.

You must define an LDAP destination. For more information, see related link.

Enter the optional parameters in the section LDAP Server Authentication (Optional) of the Destination Management. Proceed as follows:

Procedure

1. Open the Secure Login Administration Console.

https://<host_name>:<port>/webdynpro/resources/sap.com/securelogin.ui/Main https://example.com:50001/webdynpro/resources/sap.com/securelogin.ui/Main 2. Select the Destination Management tab.

3. Go to the Settings tab.

4. Choose the Edit button.

5. Go to the LDAP Server Authentication (Optional) section.

6. Enter values for the parameters. You need to specify the LDAP search base DN and the service user name.

Entering a password is optional.

7. Save your changes.

For more information on the parameters, see related link.

You find a mapping of parameters for destination management in the related link.

8. Go through user logon ID mapping in the user certificate configuration of the client authentication profile and enter the parameters you need. For more information, see the related link.

9. (Optional) If you want to use user logon ID padding, enter the required values from SAP NetWeaver Single Sign-On 1.0. For more information, see related link.

Related Information

Mapping of Parameters for Destination Management [page 304]

Creating Destinations [page 175]

Mapping of Parameters for User Certificate Attribute Configuration [page 304]

During a migration, this table enables you to map the user certificate attributes from SAP Single Sign-On 2.0 with the user-defined property in SAP NetWeaver Single Sign-On 1.0.

Parameters for Destination Management Configuration [page 296]

Configure destinations if you use LDAP or RADIUS login modules or user logon ID mapping.

Configuring the Certificate Attributes for User Mapping when Migrating Secure Login Server [page 181]

This topic describes the certificate attribute configuration during a migration of Secure Login Server.

Configuring User Logon ID Padding (Optional) in Secure Login Server [page 182]

5.4.7.1 Example for Implementing Migrating User Mapping with Secure Login Server

This is an example for user mapping migration with Secure Login Server using an LDAP user with an UME.

You have an LDAP user and want to use it in the User Management Engine (UME) of an Application Server ABAP as well. You want to add further attributes to the certificate Distinguished Name, for example, e-mail address, AUTH:UPN, or AUTH:DCS.

The user authenticates with Secure Login Server at an User Management Engine of an Application Server ABAP.

The Secure Login Server connects to LDAP to get further attributes from the LDAP search base. These attributes are maintained in the Distinguished Name of the user certificate.

A user logs on to Secure Login Server with user name and password. The Secure Login Server receives the user name and password in the authentication request and identifies the user. The Secure Login Server issues a certificate that contains information about the user, for example the e-mail address.

Now the user authenticates with Secure Login Client or Secure Login Web Client at the SAP GUI. Using the User Maintenance (SU01 transaction) in the Application Server ABAP, you map the certificate Distinguished Name as SNC name. SAP GUI reads the user information (the e-mail address) that is sent with the certificate and identifies the appropriate SAP user.

Note

For more information, see SAP NetWeaver Library: Function-Oriented View Security Network and Transport Layer Security Transport Layer Security on the AS ABAP Secure Network Communication Configuring SNC on AS ABAP User Maintenance on AS ABAP in the SAP Help Portal.

5.4.7.2 Configuring the Certificate Attributes for User Mapping when Migrating Secure Login Server

This topic describes the certificate attribute configuration during a migration of Secure Login Server.

Context

The Certificate Attribute Configuration contains all the attributes that are transferred from the Secure Login Server to the Secure Login Client. In Instance Management, SAP NetWeaver Single Sign-On 1.0 only offered a user-defined property called DN, which could be used for static entry of a Distinguished Name for LDAP and SPNego profiles. The user certificate attribute configuration of SAP Single Sign-On 2.0 is much more flexible than the user-defined property DN.

Procedure

1. 1. Go to Certificate Attribute Configuration. This section contains the certificate attributes that are passed on in the certificate when a client or a Secure Login Client authenticates.

2. Activate the checkbox Enable User Logon ID Padding. This displays the user logon ID padding parameters.

3. Choose the corresponding instance in Secure Login Administration Console of SAP NetWeaver Single Sign-On 1.0 and memorize the values of the user-defined property.

4. Enter the values from SAP NetWeaver Single Sign-On 1.0 into the parameters wherever possible using the appropriate format.

5. Save your changes.

For more information about which parameters of SAP Single Sign-On 2.0 correspond to those in 1.0, see the related link.

Related Information

Parameters for Certificate Attribute Configuration [page 293]

These are the parameters for the certificate attributes for user mapping the Secure Login Server passes on to the Secure Login Client.

Mapping of Parameters for User Certificate Attribute Configuration [page 304]

During a migration, this table enables you to map the user certificate attributes from SAP Single Sign-On 2.0 with the user-defined property in SAP NetWeaver Single Sign-On 1.0.

5.4.7.3 Configuring User Logon ID Padding (Optional) in Secure Login Server

Context

The optional user logon ID padding is also transferred from the Secure Login Server to the Secure Login Client. In Instance Management, SAP NetWeaver Single Sign-On 1.0 only offered user-defined properties for padding character, padding length, and maximum length.

Prerequisite

You have set the common name to PADDEDNAME in the certificate attribute configuration.

Procedure

1. Go to User Logon ID Padding (Optional). This section contains the padding parameters that are passed on in the certificate when a client or a Secure Login Client authenticates.

2. Activate the checkbox Enable User Logon ID Padding. This displays the user logon ID padding parameters.

3. Choose the corresponding instance in Secure Login Administration Console of SAP NetWeaver Single Sign-On 1.0 and memorize the values of the respective user-defined properties.

4. Enter the values from SAP NetWeaver Single Sign-On 1.0 into the parameters wherever possible using the appropriate format.

5. Save your changes.

For more information about the user logon ID padding parameters, see Parameters for User Logon Padding.

For migration purposes, see also Mapping of Parameters for User Logon ID Padding.